№2. Ethical Hacking Labs. Network scanning

12 April 2023 17 minutes Author: Endpool

Network scanning: uncovering hidden systems

Network scanning is a technique used in computer security to gather information about a target network. The information collected during the scan includes information about hosts connected to the network, open ports, services running on those ports, and operating systems used. The goal of scanning is to identify potential vulnerabilities in the network, allowing an attacker to determine the best way to penetrate the network. There are several types of network scans, including port scans, ping scans, OS fingerprint scans, vulnerability scans, and more. Tools used for network scanning include Nmap, Nessus, OpenVAS, etc. Scanning is usually considered a pre-attack stage and is used to gather information and prepare for a potential attack. Network scanning is the process of actively investigating computer networks to gather information about network systems and the objects to which they belong. The purpose of network scanning is to identify devices connected to the network, their IP addresses, open ports, and services running on them.

This information is critical to understanding the state of network security, identifying vulnerable systems, and potential targets for attacks. There are different types of network scans, such as port scans, ping scans, and vulnerability scans. A port scan is used to determine open ports and services on a system, while a ping scan is used to determine whether there are active systems on the network. Vulnerability scanning, on the other hand, checks for known vulnerabilities in systems and applications and reports potential security risks. Network scanning is an important step in the penetration testing process and is often performed by security professionals to assess network security and identify potential weaknesses. However, it can also be used by attackers to gather information for their attacks and compromise systems.

Using hping3 UDP and TCP packet creation methods

Hping3 — is a network security tool used to send and analyze network packets. It can be used to check firewall rules, scan the network, and send different types of network packets. Hping3 is capable of sending TCP, UDP and ICMP packets and can be used to test the security of a target system. Hping3 is widely used by security professionals and is considered a versatile and effective tool for performing various types of network testing and analysis.


How to perform network scanning and packet creation using hping3 commands.


Kali Linux (attacker machine) Windows 10 (target machine).

Overview of creating packages

Packaging refers to the process of creating a software package, which is a preconfigured archive file that contains all the necessary files, libraries, and dependencies for a software application. The package is designed to facilitate software distribution, installation, and management. The process of building a package includes tasks such as building a package from source code, creating a package manifest, and testing the package. The purpose of creating packages is to make it easier for users to install and use the software, and to make it easier for system administrators to manage the software.

Basics of hping3

Log in to Kali Linux and launch a terminal. Use hping3-h to display all commands. We’ll focus on a few of them, so don’t worry.

Notice that at the bottom of the output, 3 packets were sent and received. You should get this answer. -c stands for packet count. Means we only want to send three packets to the target machine. Next, we’ll send a port range SYN flag scan.

–scan The parameter specifies the range of ports to scan. -S represents the SYN flag. The output shows the open ports on the target machine, i.e. Windows 10.

Creation of UDP packets

Send a TCP SYN request

Run Wireshark again on the Windows machine and leave it running. To send a TCP SYN request to the target machine, type:

This will send a 5-packet request to the victim machine on port 80. -S will perform a TCP SYN request on the target device, p will send traffic through the designated port, and -c is the number of packets sent to the target machine. Switch to the target machine (Windows) and observe the TCP packets collected in Wireshark. Then stop the packet capture and start a new capture again. Leave Wireshark running.

Perform TCP Flooding

Send –flood packets as fast as possible without worrying about displaying incoming responses. After a few seconds, stop capturing packets in Wireshark on Windows. You will notice a TCP flood from the attacker’s machine. Note. If you want to inspect the flow of TCP packets and perform reverse engineering, make sure you understand more than the infamous “three-way handshake”.

Determine target OS using TTL (Time-to-Live) and Windows TCP sizes using Wireshark

Identifying the operating system (OS) in use on a target host is the process of determining the specific type of operating system installed on the target computer system. This information can be obtained using various methods, including network scanning tools such as Nmap, or by examining the response of the target system to different types of requests. Knowing the OS used on the target host is important for various tasks such as vulnerability assessment, penetration testing, and exploit development. The OS used on the target host can provide information about potential security vulnerabilities and potential attack vectors that can be used to compromise the target system.


Detect OS by TTL and TCP window size using Wireshark.


Linux Ubuntu machines. Windows 7 machine Windows 10 machine (Target running Wireshark).

Banner capture overview:

There are two types of banner capture techniques: active and passive. Capturing banners or OS fingerprints is a method of determining the OS running on a remote system.

Using Wireshark to detect TTL

1. Open Wireshark on your Windows 10 computer, select the correct interface, and start capturing. (The interface may differ from your lab environment).

2. Go to your Ubuntu computer and start testing your Windows 10 computer.

3. Go back to Wireshark and check the ICMP protocol by selecting the captured packet frame; Expand the “Internet Protocol Version” node in the package details, you will see the TTL. A TTL value written as 64 means that the ICMP request came from a Linux-based machine.

4. Refresh Wireshark by running another capture and switch to Windows 7. You will repeat the same process but with a Windows 7 machine. Open a command prompt or Powershell and ping the Windows 10 machine running Wireshark.

5. Go back to Wireshark on the Windows 10 machine and check the same TTL information again. A TTL value written as 128 means that the ICMP request came from a computer running Windows.

Basic Network Troubleshooting with MegaPing (Windows)

MegaPing — is a network toolkit that allows users to perform a variety of network diagnostic tests, including ping, traceroute, whois, nslookup, and more. It is designed as a universal network tool for Windows operating systems that allows users to quickly diagnose and fix network problems. MegaPing can be used to monitor the availability of multiple network devices, diagnose connectivity issues, and identify network latency issues. In addition, it provides advanced features such as custom probes, adjustable timeouts, and customizable display options.


Detect live hosts and open ports of systems on the network.


Windows 7, 8 or 10. Windows Server 2012/2016 (targeted).

Scanning of active hosts

This software is very easy to use. Click IP Scanner on the left panel to start scanning.

Specify the IP range of your network lab and click Start Notice the check box on the right, you can view the MAC addresses of the collected hosts. MegaPing lists all IP addresses in the specified target range with their TTL, status (dead or alive) and statistics.

Run a Traceroute on the target

Right-click the IP address and select Traceroute . This action will execute a Traceroute, displaying the number of hops taken by the host machine to reach the target.

Run a port scan on the target host

  • Next, select Port Scanner from the left pane.

  • Enter the IP address of the target machine in the “Destination Address List” section and click “Add”.

This action will list all the ports associated with the target, along with the port type, keyword, risk, and description, as shown in the following screenshot:

Understanding the basics of network scanning with Nmap

Nmap (Network Mapper) —is a free, open source network scanning and intelligence tool that allows users to discover hosts and services on a computer network and determine what operating systems and programs are running on those systems. Nmap uses a variety of methods to identify hosts, determine open ports and services, and identify the operating system and software versions running on a target device. Nmap can be used for a variety of purposes, including vulnerability assessment, network inventory, and security auditing. It is widely used by network administrators, security professionals, and researchers to perform a variety of tasks related to network security and management.


  • Scan entire subnet.

  • Track all sent and received packages.

  • Perform a slow comprehensive scan.

  • Create a new profile to perform a zero scan.

  • TCP and UDP port scanning.


  • Windows server 2012 machine.

  • Windows 10 machine.

  • Ubuntu Metasploitable machine.

  • A Kali Linux machine.

  • Make sure that the network topology in your virtual environment is configured correctly.

Scan entire subnet

Open a terminal window and type nmap-h to list all available commands. Since Nmap has so many options, you can use this cheat sheet to see some examples.

Both do the same, with minor differences, such as subnet notation being slightly faster than wildcard notation. Run this scan and check the results. Nmap scans the entire network and displays information for all hosts along with open ports, device type, OS details.

Track all sent and received packages

Identification of services using TCP Null Scan


-sN: nil TCP scan.
-A: enables OS detection, version detection, script scanning, and traceroute
-T4: Time: (4) Aggressive mode speeds up scanning, assuming you’re on a fairly fast and reliable network.

When you run this command, Nmap sends TCP packets with none of the TCP flags set. If the scan returns an RST packet, it means that the port is closed; If nothing is returned, the port is either filtered or open.

As shown above, we can see part of the scan result performed on Metasploitable Linux. Later we can check the versions and type of services running on open ports. This type of information is very valuable as we can look for vulnerabilities, flaws, etc.

Scanning technique

Nmap comes with various built-in scripts that can be used during the scanning process to find open ports and services running on the ports.

Summary of scans that will be performed:

  1. TCP Connect Scan uses a regular TCP connection to determine if a port is available.

  2. Xmas Scan involves sending TCP segments with all the flags sent in the packet header, generating packets that are illegal according to the RFC.

  3. Scanning the ACK flag involves sending an ACK probe packet with a random sequence number.

  4. UDP scanning involves sending a generic UDP packet to the target device.

  5. IDLE scanning involves sending spoofed packets to a target.

1. TCP connection scanning

This scan is the simplest of the TCP scans. The connect() system call provided by your OS is used to open a connection to each port of interest on the machine. If the port is listening, connect() will succeed, otherwise the port is unreachable. One of the advantages of this technique is that you don’t need any special privileges.

2. Christmas scan

Xmas Scan sends a TCP frame to the remote device with the PSH, URG, and FIN flags set. FIN scans only with a TCP/IP OS designed according to RFC 793. The current version of MS Windows is not supported.

Nmap returns the result that all ports are open/filtered, which means that a firewall is configured on the target machine. Then disable the firewall on the target machine.

3. Scanning the ACK flag

ACK scanning never finds an open port. It only provides a “filtered” or “unfiltered” location because it never connects to the app to confirm the “open” state. This scan initiates an ACK scan and displays the port locations as shown below:

Attackers send an ACK probe packet with a random sequence number. No response means the port is filtered An unfiltered response means the port is closed.

4. UDP scanning

A UDP scan is performed to find any UDP ports on the target machine. If present, to determine their status (Open/Closed).

5. IDLE Shiyan

Idle scanning is a technique used by hackers to scan ports while hiding their IP address. This is achieved by using an inactive (zombie) host between the attacker and the target system, which is used to send probe packets to the target. The response from the target is sent back to the attacker via the same zombie host, making it appear as if the test packets were sent from the zombie host instead of the attacker’s IP address. This allows an attacker to gather information about the target system without being detected.

In this example, the zombie will be a Windows Server 2012 machine and the target will be a Windows 10 machine using port number 80 (or whatever port you want to test).

Ping Sweep

Ping sweep — is a method that can set the range of IP addresses that are mapped to live hosts. Now, instead of testing individual systems, we will test all active systems on the network by performing a ping test.

Nmap scans the subnet and shows a list of active systems as shown above. The result may vary in your laboratory.

Avoid detection when scanning with multiple IP addresses

The Nmap command nmap -D RND:10 is a decoy option that allows you to scan using multiple decoy IP addresses. Firewalls and IDS detect normal scanning attempts on the target network. However, you can use IP spoofing techniques to avoid detection. Before starting this lab, make sure that Windows Firewall is enabled on the target device.

IP fragmentation

When the Windows Firewall service is enabled, you can only see the open ports as shown in the output above.

Perform the maximum transfer unit

IP address spoofing

This command is used to scan multiple decoy IP addresses. Nmap will send multiple packets to different IP addresses along with your attacker’s IP address. nmap -D RND:10 <Target IP Address> Again, the result is the same as the previous results, but the target view is very different. Check the Windows Server firewall logs and analyze the last scan that was performed. You can also analyze this information by running Wireshark. Both show multiple IP addresses along with your real IP address of the attacker.

Avoid detection when scanning with multiple IP addresses

The Nmap command nmap -D RND:10 is a decoy option that allows you to scan using multiple decoy IP addresses. Firewalls and IDS detect normal scanning attempts on the target network. However, you can use IP spoofing techniques to avoid detection. Before starting this lab, make sure that Windows Firewall is enabled on the target device.

IP fragmentation

When the Windows Firewall service is enabled, you can only see the open ports as shown in the output above.

Perform the maximum transfer unit

IP address spoofing

This command is used to scan multiple decoy IP addresses. Nmap will send multiple packets to different IP addresses along with your attacker’s IP address. nmap -D RND:10 <Target IP Address> Again, the result is the same as the previous results, but the target view is very different. Check the Windows Server firewall logs and analyze the last scan that was performed. You can also analyze this information by enabling Wireshark.

Windows scanning tools

Colasoft Package Builder

Colasoft Packet Builder — is a software tool used in computer networks to create custom network packets. It is commonly used to test and troubleshoot networking and security issues. The tool allows users to specify various packet parameters such as source and destination IP addresses, protocol used, and payload. This allows network administrators to simulate specific network conditions and test the behavior of network devices and security systems under those conditions. Colasoft Packet Builder is part of a suite of network analysis tools offered by Colasoft, a company specializing in solutions to improve network performance and security.

click here

NetScanTools Pro

NetScanTools Pro — is a set of network and Internet analysis tools designed to give network administrators and security professionals the tools they need to monitor and secure their networks. The software includes a variety of tools for tasks such as ping, route tracing, whois, and more. In addition, NetScanTools Pro provides information about network protocols and includes tools to analyze and interpret the results of these scans, helping to identify potential security vulnerabilities and other issues.

click here

IP tools

IP-Tools, also known as IP Utilities, is a collection of network tools and utilities used to diagnose and troubleshoot IP-related problems. These tools allow network administrators to perform various network-related tasks, such as testing network connectivity, scanning open ports, tracing routes, converting hostnames to IP addresses, and more. The IP-Tools suite typically includes a variety of tools such as ping, traceroute, nslookup, and other network diagnostic and troubleshooting tools. These tools are essential for network administrators, who use them to monitor and maintain the health of their networks, as well as to identify potential security risks and other issues that may arise.

click here

Angry IP Scanner

Angry IP Scanner — is a free, open source tool that can be used for network discovery, port scanning, and basic network inventory. It provides a quick, easy and convenient way to scan an IP address range or hostname and retrieve information such as hostnames, open ports, operating system and uptime. Angry IP Scanner can also be used to generate a report on detected hosts, and it supports plugins that extend its functionality. It is widely used by network administrators, security professionals and hobbyists to scan their networks and perform intelligence activities.

click here

Windows Proxy Tools

Workbench proxy

Proxy Workbench — is a unique proxy server—ideal for developers, security experts, and educators—that displays real-time data. A daisy-chain of proxies can make traffic analysis much more difficult and make it difficult for an interceptor to control different parts of the Internet.

click here

Proxy switch

Проксі-перемикач — allows you to automatically take action based on a detected network connection. A proxy switch for all your incognito browsing needs. It can be used to avoid all kinds of restrictions imposed by different sites. Be it a download site that limits the number of downloads. Or a video site only works in a certain country – most often it is defeated by the incognito features provided by Proxy Switcher.

click here


CyberGhost VPN

CyberGhost VPN — is a virtual private network (VPN) service that allows users to browse the web securely and anonymously by encrypting internet traffic and hiding their IP address. With CyberGhost VPN, users can access blocked websites, protect their online privacy, and prevent their online activities from being monitored by ISPs, government agencies, and hackers. The software is available for multiple platforms including Windows, Mac, iOS and Android.

click here

Proton VPN

ProtonVPN — is a virtual private network (VPN) service provided by the Swiss company Proton Technologies AG. It allows users to connect to the Internet securely and anonymously by routing their Internet traffic through an encrypted and secure tunnel. ProtonVPN offers a number of security and privacy features, including strong encryption, a no-logs policy, and a built-in switch to protect users’ online privacy and security. In addition, the VPN service provides access to a large network of servers in different countries, allowing users to bypass censorship, geo-restrictions and other online restrictions.

click here

Network discovery tool

Network topology cartographer

SolarWinds Network Topology Mapper — is a software tool designed to display and visualize the physical and logical topology of a computer network. It helps network administrators understand the relationships between network devices and components and provides an interactive graphical representation of the network topology. The tool can detect and map network devices, including routers, switches, firewalls, and servers, and can automatically update the network topology map when changes occur in the network infrastructure. It can also generate detailed network diagrams and reports to help administrators make informed decisions about network design and management.

click here

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.